Home Page Hijack - Plus HJthis log

Discussion in 'malware problems & news' started by newdogdad, Aug 11, 2003.

Thread Status:
Not open for further replies.
  1. newdogdad

    newdogdad Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    7
    Location:
    Tucson, AZ
    o_O
    I am using MS Windows XP Home. HP computer, 2.4GB, 512 ROM, GBROnline.com ISP

    Somehow Gueb.com/ (DON'T GO THERE) became my home page. I tried everything I could to stop this insidious intrusion. I have deleted its cookie; I have changed the Internet Explorer home page to BLANK, then went to my ISP Home page, and in MSIE, made it my home page. I have eliminated all references to GUEB in the registry (5 that I could find).

    I installed (Wilder) Browser Hijack Blaster. I clicked on "Startup minimized to system tray". It works fine for a short time. If I have it's icon in the task bar and power off the computer and then restart, then open MSIE, the GUEB home page is back and the icon for Browser Hijack Blaster is gone from the system tray and the cookie is back.

    I can't get rid of this GUEB.com I am out of ideas.
    Anybody have a suggestion?


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\hpztsb05.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\@tour_ww\@tour_ww[1].exe
    C:\Program Files\Interlogic\MEMOKEYS\memokeys.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Documents and Settings\Owner\Desktop\PopDown\Pop-Down\PopDown.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gueb.com/inicio.asp?a=021
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gbronline.com/gbr_prod/city.asp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gbronline.com/gbr_prod/city.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gbronline.com/gbr_prod/city.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\hpztsb05.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [@tour_ww] C:\@tour_ww\@tour_ww[1].exe -t
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ki_washer] C:\Program Files\Kalavath Infotech\Ki-Washer\ki-washer.exe Auto
    O4 - Startup: Memokeys.lnk = C:\Program Files\Interlogic\MEMOKEYS\memokeys.exe
    O4 - Startup: PopDown.lnk = C:\Documents and Settings\Owner\Desktop\PopDown\Pop-Down\PopDown.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center7903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center7903\Program\BackWeb-137903.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Home Page Hijack

    Hi newdogdad,

    Welcome at Wilders. :)

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi newdogdad,

    You´re lucky I checked on this thread again. Normally I wouldn't have noticed you edited your post.
    Something to remember for next time: better to use the Reply button. ;)

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gueb.com/inicio.asp?a=021
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL =
    O4 - HKLM\..\Run: [@tour_ww] C:\@tour_ww\@tour_ww[1].exe -t
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center7903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center7903\Program\BackWeb-137903.exe

    Reboot after doing so, preferably into safe mode and delete:

    C:\@tour_ww\@tour_ww[1].exe

    That's the dialer that was causing your Hijack.

    You do have a lot of programs starting up. Some of them seem unnecessary to me, but you might find them useful.
    Check the items under O4 against this list http://www.pacs-portal.co.uk/startup_pages/startup_full.htm if you like to weed them out a bit.

    Regards,

    Pieter
     
  4. newdogdad

    newdogdad Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    7
    Location:
    Tucson, AZ
    Thanks, I really appreciate your help.

    You mention: C:\@tour_ww\@tour_ww[1].exe
    That's the dialer that was causing your ijack.
    I have only one phone line, I use it to go to my ISP...When does the dialer do it's nasty thing?

    I don't quite understand your suggestion to check 04 againt the list at pacs-portal. That's a very long list!

    Most of the 04 items are the files installed by Hewlett Packard prior to my purchase of the computer.

    I also do not understand in HiJack This...Running Proceses. Are alll of those running all the time? Are all of those necessary?
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi newdogdad,

    The dialer starts itself at boot. If you are on dial-up you'd better keep a close eye on your bills. I am not sure if this is the kind of dialer that automatically contacts a more expensive number or if another action from you is required before it does that.

    As to checking the startups I will give you an example.
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe

    On the list I referred to the items will be listed under the first letter of the word in brackets.
    So click on the B and you will be taken to http://www.pacs-portal.co.uk/startup_pages/startup_b.php

    There you will find under BlockTracker:
    Check if the name of the .exe corresponds with what you have before undertaking action.

    The N indicates that this entry is not needed for proper function of your computer.
    But as I mentioned in my previous post, if you use the blocklog.txt file to troubleshoot problems it is a useful entry to you.

    HTH,

    Pieter
     
  6. newdogdad

    newdogdad Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    7
    Location:
    Tucson, AZ
    Hi Pieter

    I am not at the computer we've been talking about. It belongs to a friend who asked me to help. I will not be there until Wednesday afternoon.

    I note that you have said to delete the dialer file AFTER fixing the 5 items you mentioned.

    If I had him delete the dialer file, would it come back when he reboots because the item:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gueb.com/inicio.asp?a=021

    has not been fixed? He does not have the HiJackthis Log. I help him because he is really a novice user, limited to email, and very little Internet uses.

    Hugh
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi newdogdad,

    Stopping the process and deleting the file will get rid of it, but since the startup entry will still be there, Windows will complain about the file it can't find.

    And he would have to change the Start Page manually, because it is thinkable that the program gets reinstalled when visiting that site.

    Regards,

    Pieter
     
  8. newdogdad

    newdogdad Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    7
    Location:
    Tucson, AZ
    Hi Pieter;

    Everything worked just as you meant. My rfriend :D is very hapy :D! Thanks for your right on target help!

    Best regards, Hugh
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That's good news. :cool:

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.